Data Processing Agreement

Last updated: 27 April 2026 (version 2.0)

1. The Parties and Acceptance

This Data Processing Agreement ("DPA") is entered into between:

The Processor: SSIT, MB (legal form: mažoji bendrija; company registration number: 306676561; registered address: Blindžių g. 24-5, LT-08110 Vilnius, Lithuania), the operator of the Talentika platform ("Processor").

The Controller: the legal entity that has accepted Talentika's Terms of Service and uses the Service to process personal data ("Controller").

This DPA forms an integral part of the Terms of Service. It is accepted electronically when the Controller accepts the Terms of Service or upon first use of the Service. The version of this DPA in force is the version published at talentika.lt/dpa at the time of acceptance. The Controller may request a countersigned copy by contacting info@talentika.lt.

2. Subject Matter and Purpose

The Processor processes personal data on behalf of the Controller for the purpose of providing recruitment management services, including hosting career pages, managing job advertisements, processing applications, scheduling interviews, sending automated email notifications, and providing analytics. This DPA governs all processing of personal data carried out by the Processor on behalf of the Controller under the EU General Data Protection Regulation (2016/679) ("GDPR") and the Republic of Lithuania Law on Legal Protection of Personal Data.

3. Definitions

Terms used in this DPA have the meaning given in Article 4 GDPR. In particular: "Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Sub-processor", and "Personal Data Breach".

4. Duration

This DPA applies for as long as the Processor processes Personal Data on behalf of the Controller under the Terms of Service, and shall continue thereafter to the extent required for the return or deletion of Personal Data and to comply with applicable law.

5. Categories of Data Subjects and Personal Data

Data subjects:

Job candidates who apply through the Controller's career pages or whose data the Controller imports into the Service.
The Controller's employees and authorised users (recruiters, hiring managers, administrators).
Visitors to the Controller's career pages.

Categories of personal data:

Candidate data: name, email address, phone number, CV/résumé, cover letter, application form responses, interview schedules, recruiter notes and ratings, tags, GDPR consent records, and uploaded files.
User data: name, email address, role, activity logs, and notification preferences.
Career page visitor data: IP addresses, browser information, page views (anonymised where feasible).

Special categories of data: the Service is not designed to process special categories of personal data (Article 9 GDPR). The Controller agrees not to upload or process such data through the Service unless it has confirmed in writing with the Processor that appropriate additional safeguards are in place.

6. Processor's Obligations

The Processor shall:

(a) Process on instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by EU or Member State law. In such a case, the Processor shall inform the Controller of the legal requirement before processing, unless the law prohibits such information.
(b) Confidentiality: Ensure that persons authorised to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
(c) Security measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The current measures are described in Section 12 of this DPA.
(d) Sub-processors: Engage sub-processors only in accordance with Section 9 of this DPA.
(e) Assistance with data subject rights: Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Articles 15-22 GDPR. The Service includes built-in features (data export, account deletion, candidate data deletion) to facilitate such requests.
(f) Assistance with controller obligations: Assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
(g) Return or deletion of data: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services and delete existing copies, unless EU or Member State law requires storage. Upon request, the Processor shall provide written confirmation of deletion.
(h) Demonstrate compliance: Make available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 GDPR, and allow for and contribute to audits as set out in Section 13.

7. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay and within 48 hours of becoming aware of a Personal Data Breach. The notification shall include, to the extent known:

(a) The nature of the breach, including the categories and approximate number of data subjects and Personal Data records concerned;
(b) The name and contact details of a contact point at the Processor where more information can be obtained;
(c) The likely consequences of the breach;
(d) The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects;
(e) The time at which the Processor became aware of the breach.

If not all information is available within 48 hours, the Processor shall provide it in phases without further undue delay.

8. Sub-processor List

The Controller authorises the Processor to engage the following sub-processors as of the date of this DPA. A current list is available at talentika.lt/dpa#sub-processors.

Sub-processor	Service	Location	Transfer mechanism
Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992	Database, authentication, file storage	Frankfurt (EU) primary; entity is US-incorporated	EU-based infrastructure; SCCs for any transfers outside EEA
Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA	Application hosting, CDN	Global; EU data centres available	SCCs (2021/914)
Resend (Plus Five Five, Inc.), 2261 Market Street #4667, San Francisco, CA 94114, USA	Transactional email delivery	USA / EU	SCCs (2021/914)
OpenAI, L.L.C., 1455 3rd Street, San Francisco, CA 94158, USA	AI content generation (only when AI features are enabled by Controller)	USA	SCCs (2021/914); EU Data Residency where available
Upstash Inc., 530 Lytton Ave, Palo Alto, CA 94301, USA	Rate limiting, security (processes IP addresses)	EU regions	SCCs (2021/914)
UAB CV-Online Latvia (CV Online)	Job board integration (only when enabled by Controller)	EU (Lithuania/Latvia)	EU-based; no transfer outside EEA
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	Google Calendar API: interview scheduling, calendar event read/write on behalf of users	USA	SCCs (2021/914)
Pexels GmbH (Canva group), Geisbergstraße 7-9, 10777 Berlin, Germany	Stock photo search and use for career pages	EU	EU-based
Unsplash Inc. (subsidiary of Getty Images), 400 Lafayette Street, 5th Floor, New York, NY 10003, USA	Stock photo search and use for career pages	USA	SCCs (2021/914)
Google LLC	Google Fonts: font delivery for career pages (processes visitor IP addresses)	USA	SCCs (2021/914)
Vercel Inc.	Vercel Analytics: anonymised web analytics (only with visitor consent)	USA	SCCs (2021/914)

9. Changes to Sub-processors

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, providing the Controller with at least 30 days to object on reasonable grounds. If the Controller objects within the 30-day period, the parties shall in good faith seek a commercially reasonable alternative. If no alternative is available within a further 30 days, the Controller may terminate the affected portion of the Service or the Terms of Service in their entirety, with a pro-rata refund of any prepaid fees for the unused portion of the term. No further compensation shall be payable in respect of such termination.

10. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place, including the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) and supplementary measures where required. The Processor maintains current records of the transfer mechanism applicable to each sub-processor.

11. Data Subject Requests

The Processor shall, where possible, forward to the Controller without undue delay any request received directly from a data subject and shall not respond to such requests except on documented instructions from the Controller. The Processor shall make available within the Service technical features (data export, deletion, search) to enable the Controller to respond to data subject requests.

12. Security Measures

The Processor implements the following technical and organisational measures:

Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.
Access control: Role-based access control with company-level data isolation (multi-tenant architecture).
Audit logging: All sensitive actions (data access, modifications, deletions) are logged.
Rate limiting: Applied to prevent abuse and brute-force attacks.
Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options.
Input validation: Sanitisation and validation to prevent injection attacks.
Soft delete with retention windows: Configurable candidate data retention periods; file deletions use a 14-day grace period before permanent removal.
Backups: Regular automated backups with point-in-time recovery.
Personnel security: Confidentiality obligations and access on a need-to-know basis.
Vulnerability management: Regular dependency updates and security review of changes.

The Processor may update these measures from time to time, provided the level of security is not reduced.

13. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR. The Controller (or an independent auditor mandated by the Controller and bound by confidentiality obligations) may, no more than once per calendar year, conduct an audit of the Processor's compliance with this DPA. The Controller shall provide at least 30 days' prior written notice, conduct the audit during the Processor's normal business hours, and avoid undue disruption to the Processor's operations. The Processor may, in lieu of an on-site audit, provide the Controller with independent third-party reports (e.g. SOC 2, ISO 27001) covering the relevant controls. The Controller shall accept such reports as sufficient evidence of compliance unless they are reasonably insufficient for the audit's purpose. The cost of audits shall be borne by the Controller, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear its own costs and reimburse reasonable costs of the auditor. In the case of regulator-mandated audits, this section does not limit a regulator's audit rights under applicable law.

14. Data Retention and Deletion

The Processor retains Personal Data in accordance with retention settings configured by the Controller. The Controller may configure automatic deletion periods for candidate data. File deletions use a 14-day grace period before permanent removal. Upon termination of the Service, the Controller may export all data (in JSON, XLSX, or TXT format) within 30 days, after which the Processor shall delete the data and provide written confirmation upon request.

15. Liability

The liability of each party under this DPA is subject to and shall not exceed the limitations of liability set out in the Terms of Service. Nothing in this DPA limits the liability of either party where such liability cannot be limited under mandatory provisions of applicable law. Each party is liable for damages caused by processing carried out in violation of the GDPR, in accordance with Article 82 GDPR. The Processor is liable for damage caused by processing only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the Controller.

16. Governing Law

This DPA is governed by the laws of the Republic of Lithuania and shall be interpreted consistently with the Terms of Service. Disputes shall be resolved as set out in the Terms of Service.

17. Conflict

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to matters concerning the processing of Personal Data.

18. Contact

For questions regarding this DPA, please contact: SSIT, MB Blindžių g. 24-5, LT-08110 Vilnius, Lithuania Email: info@talentika.lt